Report a security vulnerability

stefanie_pachne — Thu, 30 Apr 2026 09:23:38 GMT

This is a Self Service Diagnostics article of type Partial-Self-Service.

Self Service Summary

Issue	Solution	Tasks	Alternative
A Dynatrace component is suspected to be vulnerable.	Get in touch with Support after and checking cve-status.dynatrace.com	Check Dynatrace CVE status (Common Vulnerabilities and Exposures) page at cve-status.dynatrace.com for summaries of known vulnerabilities and exposures in Dynatrace components. If no one else has reported the problem, create a support ticket. Gather below listed information with your security team. Consider below listed best practices for scanning a Dynatrace component. Consider tips after scanning and before reporting scan results to Dynatrace for a quick resolution. Create the ticket using this link.	Search CVE-# within the Release Notes

Support Ticket Content

Work with your Security Team to provide the following Self Service Diagnostics:

Dynatrace component: Which component incl. version is suspected to be vulnerable (e.g. SaaS 1.240, Managed 1.240, OneAgent 1.240, ActiveGate 1.239)
Which deployment type was used: Installer or container image
Vulnerability source and details: Describe how the vulnerability was found and attach if applicable:
- CVE-#
- Tool/scanner name
- Path to the affected library
- Complete report/test result
- How to reproduce the security concern/pentest (e.g. attack vector, exploit)
- Severity level or CVSS
Required update: As a customer, I want to know e.g.
- If I am affected
- How I am affected
- If it is of high severity
- In which version it will be fixed
- When the fix version will be available

What / how to scan

Scan and report security findings for the latest version of the Dynatrace component.
- We officially support many versions of OneAgent, ActiveGate, Operator, etc. but our development teams will not re-release an old version, unless there is evidence that we are indeed affected by a vulnerability, or the vulnerability is highly severe and we cannot rule out the likelihood of practical exploitation.
- CVEs related to operating system components (curl, glibc, gnutls, etc.) can only be fixed by updating the used container base images. We do not maintain these base images ourselves but use minimal and hardened base images from external publishers.
Dynatrace SBOMs include a detailed inventory of software components and dependencies. They enable effective vulnerability management, identification of license compliance issues, and support end-to-end visibility of supply chain risks. When scanning Dynatrace Operator or ActiveGate, you can scan the sbom.json directly (see Software Bill of Materials (SBOM) on how to "Retrieve SBOM file from verification output"). Examples:
- OSV scanner: osv-scanner scan --sbom sbom.json
- Trivy scanner: trivy -q sbom sbom.json
When scanning Dynatrace container images for vulnerabilities, perform security checks on the static, non-running image.
- Some scanning appliances collect insights from running container workloads. The problem with this type of dynamic check is that scanners often cannot distinguish whether a security problem actually affects our image or the environment it is running in. Our development teams cannot make statements about CVEs that relate to components outside of our control and it is the customer’s responsibility to ensure that they are up to date.
- If scanning tools are technically limited to checking only running container workloads, it is crucial that customers triage found CVEs upfront and filter out any items that have no obvious connection to OneAgent, ActiveGate, or Operator in their respective file paths.
  - Dynatrace assets are typically located in paths, such as /opt/dynatrace , /var/lib/dynatrace or /var/log/dynatrace

What to check after the scan

Check if there is a Dynatrace setting for the affected component, e.g. ActiveGate or Managed certificates are managed on your/customer side. See also: VA scan shows insecure cipher / certificate
Check if a newer version of Dynatrace OneAgent, ActiveGate, Operator, etc. is available. If yes, update and then repeat the scan process.
To check the status of individual CVEs, see if a statement available on https://cve-status.dynatrace.com
When reporting CVEs for scanned container images, it is important to provide an exact image identifier (where it was downloaded from), to indicate which version was scanned, and which scanner was used.
- Note that latest is not a valid version. It is a tag that always references the newest version and is reset whenever a new release is published.
Dynatrace Operator downloads OneAgent. CVE findings related to OneAgent are often falsely reported as impacting DT Operator. A good indicator to spot that findings are related to OneAgent is if the scanned image also includes an identifier, such as linux/oneagent.
If Dynatrace Operator or ActiveGate is scanned, you can refer to its Software Bill of Materials (SBOM) to obtain a list of all components included. Only CVE findings that relate to one of the shipped components can potentially be handled by Dynatrace.
For other assets, you can find the components in the corresponding open source report file provided in our Trust Center.

Re: Security vulnerability

ChadTurner — Tue, 10 Jan 2023 13:57:46 GMT

Great template, thanks @stefanie_pachne

Re: Report a security vulnerability

Kenny_Gillette — Thu, 11 Jul 2024 13:06:30 GMT

This is great.

Please update to add CVE-2023-6597 which is not on the list. FYI........I did put in a ticket for this first. Feel free to email me and I can share ticket.